A flaw in WhatsApp may lock you out of your account

it was not for the CCI to decide if the Facebook-owned app's privacy policy was compliant with privacy norms, WhatsApp said. (Representative image)

The internet hasn't been a kind place lately and it feels like every other company is either getting hacked or their data stolen from right under their noses. But what happens when someone isn't interested in stealing your data but destroying it?

A new security flaw in WhatsApp's security system may allow a malicious actor to lock you out of your account and then delete it.

More alarming is the fact that to pull this off, you require only the victim's phone number. As reported on by Forbes, the way this works is by gaming security systems on WhatsApp.

When you install WhatsApp on a new phone, you may have noticed that it asks for your phone number and verifies it by sending a code by SMS. The problem is this phone number can be entered on any device that runs WhatsApp and the attacker simply has to fail the verification enough times for WhatsApp to shut down the codes for a period of 12 hours.

The only way you will know any of this is happening is by checking your messages and seeing lots of verification codes. WhatsApp itself will work just fine on your phone despite the amount of security codes you will suddenly start getting.

The moment WhatsApp puts a 12-hour lock on your account for failing the verification check too many times, the attacker then creates a new email id and sends a mail to support@whatsapp.com saying that they have lost their phone and would like their account to be deactivated.

The problem is there is no way for WhatsApp to know that the email isn't from you and there appear to be no follow-up questions either. The mail starts an automatic process and your WhatsApp account will then be placed in queue for deletion.

Now WhatsApp will show you a message saying that your account is locked and allow you to log back in if you verify your phone number. The problem? The system has already blocked codes being sent to your number for 12 hours.

Worse, the attacker can keep repeating the process for up to three times more, following which the WhatsApp security seems to break and the 12-hour lockdown perplexingly changes to -1 seconds. Now the system has stalled and there is no way for you to get back in.

This is too major a flaw to be present on platform that has 2 billion active users around the world. Make sure you have two-factor authentication turned on in the settings and if you have start receiving lots of verification codes all of a sudden, contact support immediately.